Once attackers get a foothold on a domain machine, they obtain 100% visibility. From this point, they can take control of the entire organization in one lateral movement jump and potentially all domain credentials in two jumps. This common methodology is stealthy and almost impossible to detect with conventional solutions.
After getting a foothold on a domain machine, the attacker’s first objective is to map out all of the high privileged identities in the network. With a few queries to the Active Directory that do not require a high privileged user, attackers can get a fully updated list of all administrators, their username, their activity, etc. and start to hunt them down internally.